b'                       Evaluation of the Self-Assessment Process \n\n                            For Information System Security\n\n                          Report No. 03-02, December 27, 2002\n\n\n                                        INTRODUCTION \n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) evaluation of\nthe self-assessment process for information system security at the Railroad Retirement\nBoard (RRB).\n\nBACKGROUND\n\nThe RRB administers comprehensive retirement/survivor and unemployment/sickness\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct (RRA) and Railroad Unemployment Insurance Act (RUIA). These programs provide\nincome protection to railroad workers and their families during old age and in the event\nof disability, death, temporary unemployment, or sickness. The RRB paid over $8.8\nbillion in benefits during fiscal year (FY) 2002.\n\nThe RRB\xe2\x80\x99s information system environment consists of two general support systems\nand seven major application systems. The two general support systems are the data\nprocessing system, which supports all mainframe computing activity; and the end-user\ncomputing system, which supports the agency\xe2\x80\x99s local and wide area networks.\n\nThe RRB\xe2\x80\x99s major application systems correspond to its critical operational activities:\npayment of RRA and RUIA benefits, maintenance of compensation and service records,\nadministration of Medicare entitlement, financial management, personnel/payroll, and\nthe RRB\xe2\x80\x99s financial interchange with the Social Security Administration.\n\nAn information security self-assessment is a key part of the annual agency program\nreview process. The self-assessment process is used to determine the current status of\na security program, and where necessary, to establish a target for improvement.\n\nThe Office of Management and Budget (OMB) has instructed agencies to apply National\nInstitute of Standards and Technology (NIST) guidelines to achieve adequate security\nover Federal computer systems. NIST has published a self-assessment guide that\npresents a standardized approach for assessing system security using long-standing\nrequirements found in statute, policy, and other guidance.1 The guide establishes a\nminimum standard for evaluating the security of Federal information systems. It\nincludes an extensive questionnaire containing specific control objectives, elements,\nand techniques against which systems can be tested and measured.\n\n\n\n\n1\n NIST Special Publication 800-26, \xe2\x80\x9cSecurity Self-Assessment Guide for Information Technology\nSystems,\xe2\x80\x9d November 2001.\n\x0cThe Government Information Security Reform Act (GISRA), signed into law October 30,\n2000, required annual agency program reviews and annual Inspector General security\nevaluations, with subsequent reports to OMB and Congress. In FY 2001, agencies had\nwide latitude in selecting a self-assessment methodology. In FY 2002, OMB mandated\nimplementation of the NIST methodology. Compliance with this requirement could be\nachieved through the use of the NIST self-assessment guide or an equivalent\nevaluation tool.\n\nIn FY 2002, OMB directed Federal agencies to confirm, as part of the GISRA reporting\nprocess, whether their assessment methodology was comprehensive with respect to\nkey NIST standards. Although the RRB reported that their self-assessment process\nhad sufficiently addressed all NIST objectives, the OIG disagreed. In its report to OMB,\nthe OIG stated that \xe2\x80\x9cour evaluation of the RRB questionnaire confirms seven of the 17\nNIST elements were addressed. However, the RRB questionnaire deals primarily with\ngeneral policy and procedure issues and lacks sufficient coverage to match the specific\ncontrol objectives and techniques provided by NIST.\xe2\x80\x9d\n\nResponsibility for the RRB\xe2\x80\x99s agency-wide information security program is vested in its\nChief Information Officer. The Chief Information Officer, through his staff in the Bureau\nof Information Services, oversees planning, implementation and evaluation of\ninformation security including the self-assessment process. The RRB engaged the\nservices of contractors to facilitate the agency\xe2\x80\x99s security self-assessments in FY 2001\nand FY 2002.\n\nThe RRB has established the development of a sound and integrated information\ntechnology architecture, which includes information security, as a strategic element of\nits larger objective to use technology and automation to foster fundamental changes\nthat improve the way the agency does business. This audit directly supports this\nobjective.\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this review was to evaluate the effectiveness of the self-assessment\nprocess for information system security at the RRB during FY 2001 and FY 2002. In\norder to accomplish our objective, we:\n\n   \xe2\x80\xa2   reviewed applicable laws, regulations, and NIST guidance;\n   \xe2\x80\xa2   obtained and reviewed self-assessment questionnaires and responses;\n   \xe2\x80\xa2\t assessed agency compliance with OMB requirements and self-assessment\n      guidance; and\n   \xe2\x80\xa2   interviewed agency personnel responsible for the self-assessments.\n\n\n\n\n                                            2 \n\n\x0cOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the objective. Field work was conducted at RRB\nheadquarters during September and October 2002.\n\n\n                                RESULTS OF REVIEW \n\n\nThe RRB\xe2\x80\x99s self-assessment process for information system security has not been\neffective in assessing the current status of the RRB\xe2\x80\x99s security program as a basis for\nfuture improvement. In general, we observed a lack of quality control for this contractor\nconducted process. Our review disclosed that the agency\xe2\x80\x99s FY 2002 self-assessment\nprocess was weakened by:\n   \xe2\x80\xa2   inadequate coverage of NIST objectives, elements and techniques;\n   \xe2\x80\xa2\t anonymous, incomplete responses to the questionnaire that served as its basic\n      evaluation tool; and\n   \xe2\x80\xa2   a lack of supporting documentation.\nIn addition, the agency was unable to locate any significant amount of detailed\ndocumentation to support their contractor\xe2\x80\x99s conclusions for FY 2001.\n\nManagement concurs with our recommendations and has planned corrective action to\nimprove the self-assessment process. The details of our findings and recommendations\nfollow. The full text of management\xe2\x80\x99s response is included as an appendix to this\nreport.\n\n\nTHE FY 2002 ASSESSMENT PROCESS WAS NOT NIST COMPLIANT\n\nThe RRB\xe2\x80\x99s FY 2002 security self-assessment did not adequately address control\nobjectives, elements, and techniques established by NIST for Federal agencies.\n\nOMB Circular A-130 instructs Federal agencies to apply NIST guidelines in order to\nachieve adequate security over their computer systems. NIST has developed a self-\nassessment tool that consists of an extensive questionnaire containing specific control\nobjectives, elements, and techniques against which a system can be tested and\nmeasured.\n\nDuring FY 2001, specialists under contract to the agency performed security self-\nassessments using the NIST questionnaire. The contractor assessed the status of\nsecurity in four of the agency\xe2\x80\x99s nine major information systems.\n\nIn fiscal year 2002, the agency employed the services of a different contractor to\nfacilitate its security self-assessment. That contractor evaluated all nine systems using\na questionnaire developed by the International Organization for Standardization (ISO).\n\n\n\n                                             3 \n\n\x0cThe ISO questionnaire did not fully address all NIST objectives, elements and\ntechniques. A comparison of the ISO and NIST questionnaires showed that the subject\nmatter was not comparable. For example, the NIST questionnaire addresses the\ncontrol objective for personnel security related to an organization\xe2\x80\x99s employees; the ISO\nquestionnaire focuses on security issues related to contractor personnel.\n\nThe RRB\xe2\x80\x99s contractor supplemented the ISO questionnaire with existing draft\nversions of computer security plans and follow-up interviews with agency personnel.\nHowever, since computer security plans do not contain an appropriate level of detail\nand the follow-up interview process was not fully documented, they are a poor\nsubstitute for a properly developed questionnaire. In addition, the change in\nmethodology from FY 2001 to FY 2002 adversely impacts the comparability of the\ndata gathered.\n\nAgency personnel have indicated that time constraints influenced their decision to\naccept the contractor\xe2\x80\x99s methodology in lieu of the NIST questionnaire in FY 2002.\n\nAs a result, the self-assessment process does not provide a basis for determining\nwhether the current status of information security represents an improvement or\ndegradation in the quality of performance over the prior period. Absent a consistent,\ncompliant process, the RRB will be forced to continually reapply its efforts in\ndetermining the initial status of security controls. This inefficient process restricts\nmanagement\xe2\x80\x99s ability to build a valid plan of action for improvement.\n\nRecommendation\n\nThe Bureau of Information Services should ensure that, whether performed by agency\npersonnel or specialists under contract to the agency, the self-assessment process:\n\n   1. is comprehensive with respect to NIST objectives, elements, and techniques; and\n   2. \t provides a consistent basis for assessing changes in the agency\xe2\x80\x99s security status\n        from year to year.\n\nManagement\xe2\x80\x99s Response\n\nManagement concurs with the recommendations and plans to implement an automated\nsoftware tool developed by NIST to conduct future assessments. They also plan to\nincorporate the self-assessment process into existing procedures.\n\n\nSELF-ASSESSMENT PROCESS IS INCOMPLETE\n\nThe FY 2002 self-assessment process was incomplete. Some questionnaires were not\nreturned, responses to some questions were not credible, and the responding officials\nwere not identified.\n\n\n\n                                            4 \n\n\x0cThe General Accounting Office (GAO) Standards for Internal Control in the Federal\nGovernment state that information shall be recorded and communicated to\nmanagement and others within the entity who need it, in a form and within a time frame\nthat enables them to carry out their internal control and other responsibilities.2 For an\nentity to run and control its operations, it must have relevant, reliable, and timely\ncommunications.\n\nQuestionnaires for each of the RRB\xe2\x80\x99s nine major systems were released to the\nresponsible agency officials. However, responses were returned for only four systems.\nNone of the responses were signed or dated so it is not possible to hold individuals\naccountable for the quality of their response. In addition, the questionnaires for the\nmainframe and end-user computing environments, which are the responsibility of the\nBureau of Information Services, were incomplete and lacked credibility. One of the\nrespondents had answered only half of the questions and both respondents denied\nknowledge of an agency security policy.\n\nThe RRB has no control in place to ensure that self-assessment questionnaires are\ncompleted, returned, and contain credible information. As a result, the agency has not\ncollected the relevant, reliable, and timely information needed to complete the security\nevaluations.\n\nRecommendation\n\n      3. \t The Bureau of Information Services should develop controls to ensure that the\n           self-assessment process is complete and credible.\n\nManagement\xe2\x80\x99s Response\n\nManagement concurs with the recommendation. Management plans to implement an\nautomated software tool to facilitate the self-assessment process that will permit the\nBureau of Information Services\xe2\x80\x99 Risk Management Group to conduct an independent\nassessment and verification of the submitted results.\n\n\nSELF-ASSESSMENT PROCESS IS NOT FULLY DOCUMENTED\n\nThe self-assessment process was inadequately documented in both FY 2001 and FY\n2002. The self-assessment process is a significant internal control activity that should\nbe fully documented. The RRB does not have controls in place to ensure that\ndocumentation to support contractor conclusions is retained in agency files. As a result,\nthe basis for contractor conclusions about information security cannot be determined.\n\nGAO Standards for Internal Control in the Federal Government state that internal\ncontrol and other significant events need to be clearly documented, and that the\ndocumentation should be readily available for examination. The standards further state\n2\n    GAO/AIMD-00-21.3.1, November 1999.\n\n\n                                              5 \n\n\x0cthat control activities need to be established to monitor performance measures and\nindicators. These control activities should validate the propriety and integrity of\nperformance measures, and could call for assessments and analyses that lead to\nfurther action. In FY 2002, OMB established agency self-assessments as a key\nperformance measure to be reported under GISRA.\n\nAgency management was unable to locate completed questionnaires or other\ndocumentation to support the FY 2001 self-assessment. The FY 2002 self-assessment\nprocess included interviews with responsible management and staff to supplement the\nquestionnaires that served as the basic assessment tool. Neither the questions used,\nnor the information obtained during the interviews, were fully documented. Only the\ngeneral subject matter of interviews conducted in FY 2002 was recorded.\n\nFuture improvement in the RRB\xe2\x80\x99s security program will be dependent upon the agency\xe2\x80\x99s\nability to assess relevant and reliable security information, and to plan further action\naccordingly. These plans of action may require periodic modification, which can only be\nefficiently accomplished through the review of reliably maintained documentation.\n\nRecommendation\n\n   4. \t The Bureau of Information Services should ensure that the information gathered\n        during the RRB\xe2\x80\x99s self-assessment process, whether performed by agency staff or\n        specialists under contract to the agency, is clearly documented and maintained.\n\nManagement\xe2\x80\x99s Response\n\nManagement concurs with the recommendation. Management plans to implement an\nautomated software tool to facilitate the self-assessment process that will provide the\nnecessary means to obtain documented results for each self-assessment.\n\n\n\n\n                                            6 \n\n\x0c\x0c\x0c'